July 2018

Special Focus: Refinery of the future

What are the financial savings from a refinery cybersecurity program?

Recently, the authors developed a first-pass financial estimate of the savings resulting from the implementation of a cybersecurity program for a 100-Mbpd refinery.

Ayral, T., Honeywell Process Solutions; Fligner, M., Liberty International Underwriters

Recently, the authors developed a first-pass financial estimate of the savings resulting from the implementation of a cybersecurity program for a 100-Mbpd refinery. This work attempted to answer two questions: How does this refinery justify its cybersecurity program? If the refinery has already installed parts of a cybersecurity program and has never been attacked, what is the dollar benefit of additional cybersecurity investments?

For this typical 100-Mbpd refinery, costs from damages associated with two different types of cyberattacks were estimated. It is important to note that it is difficult to perform this type of analysis, since companies seldom publicize cyberattacks on their facilities and/or infrastructure. Some of the reasons that companies do not publicize cyberattacks include:

  • Shareholders may be concerned and/or frightened, which could result in a drop in the company’s stock price
  • The attack may reveal a possible lack of protection and prevention
  • A sense of vulnerability can open up the company to further attacks
  • Companies that have been attacked are not required by law to reveal those attacks
  • Liability insurance rates may be increased.

From discussions with refiners, the authors have learned that cyberattacks generally come from three sources: phishing emails, USB devices that are infected with viruses and malware, and disgruntled former employees who log in illegally and attack the system. Two kinds of attacks exist: ransomware and the Stuxnet malicious computer worm.

Ransomware

This type of attack is a result of a failed cybersecurity program. A ransomware attack allows the orderly shutdown of the process and allows the restart on backups. Recent ransomware examples include the WannaCry, Petya and NotPetya attacks. Ransomware requires payment to the hacker by a particular deadline or a process shutdown results that requires a re-install of control software. The potential financial costs of a ransomware attack include the ransom payment, business interruption costs (e.g., plant shutdown) and software services to re-install software. 

Risk of a ransomware-type attack. The following are statistics for calculating the risk of a ransomware-type attack:1

  • More than 15% of businesses in the top 10 industry sectors have been attacked
  • 71% of companies targeted by ransomware attacks have been infected
  • One in five businesses that paid the ransom never got their files back
  • 72% of infected businesses lost access to data for two or more days
  • Less than 5% of companies actually pay the ransom
  • Even with backups, less than half of ransomware victims fully recover their data
  • Of the companies that have experienced ransomware attacks, 70% have fallen victim to at least one that got past their security and encrypted their files.

Cost of a ransomware attack. Using statistics and other refining data, the authors have calculated the cost of a ransomware attack on a typical 100-Mbpd refinery. The cost of an attack can be estimated by the product of the refinery throughput (e.g., 100 Mbpd), global refining margins ($8/bbl processed)2 and the average length of time of a denial-of-service attack (e.g., 17.8 d)³ at $14.2 MM.

To estimate the probability of a ransomware-type attack in a given year, the authors used the following statistics: 

  • More than 18% of manufacturing businesses have been attacked⁴
  • Approximately 20% are attacks on the manufacturing facility, with the remaining 80% involving the company’s intellectual technology (IT).

The chance of a ransomware attack resulting in loss of production in a given year for a refinery without a complete cybersecurity program is shown in Eq. 1.  

0.18 × 0.2 = 0.036 (3.6%)         (Eq. 1)

The risk of a ransomware attack is estimated as the product of 0.036 × $14.2 MM, or $513,000/yr. For this analysis, the authors ignored costs related to providing computer backup reboots, restarting computers and performing shutdowns/restarts of processing units. 

Stuxnet attacks

In a Stuxnet-type attack, operator monitoring screens and data continue to display normal values, but alarms are overridden so they do not go off.5,6 Safety shutdown systems are overridden, as well. This pushes the process outside the safe operating window, which damages the plant and can even cause explosions, resulting in vapor releases, fires, business interruptions and/or fatalities. 

Risk of Stuxnet-type attacks. The cost of a Stuxnet-type attack can be dramatically higher and can include business interruptions, loss of operations, lawsuits, explosions, fires, vapor releases, process unit repairs, loss of good neighbor status, government fines, liability insurance increases and/or loss of life.

In a Stuxnet attack, an estimate of these costs for a 100-Mbpd refinery is approximately $300 MM. This amount is representative of losses from major fire events in refineries. The authors’ basis for the chances of this type of event occurring are 5% of the chances of a ransomware attack. This is calculated by using Eq. 2. 

0.05 × 3.6% = 0.0018 (0.18%)  (Eq. 2)

Therefore, the risk of a Stuxnet attack is estimated as $300 MM × 0.0018, which equals $540,000/yr. 

Cost from cyberattacks

Summing up the damages from both types of attacks (ransomware and Stuxnet), the total annual risk from the lack of a cybersecurity program for a 100-Mbpd refinery is $1,053,000.

Benefits of a cybersecurity program

As described in literature,4 the components of a refinery cybersecurity program include performing backups and network inventory; installing firewalls, patches (especially security patches), antivirus software, whitelisting and dark device detection systems; implementing cyber policies to train employees on cyber threats and protocols; generating cybersecurity metrics; monitoring the cybersecurity system; and developing a method to point to the source of a cyber threat, along with a system to make it impossible to allow an infected USB device to open a directory on the process control network.

For this analysis, the authors estimated that 80% of cyberattacks can be prevented by a cybersecurity program. Therefore, the annual savings of 80% of $1,053,000 is $842,000. TABLE 1 shows an allocation of those savings to various items in the cybersecurity program. These savings allocations were developed based on input from a team of cybersecurity experts.  

Takeaway

A financial estimate of cybersecurity risk from two types of attacks was presented, along with a list of items in a complete refinery cybersecurity program, with the allocated savings per item. A review of literature was performed to determine a possible methodology for this analysis.⁷,,⁹ The method presented in this work is simpler and does not conflict with methods and results published in the aforementioned literature. The greatest challenge is the lack of statistics due to the secrecy concerns described previously. HP

Literature cited

  1. Crowe, J., “Ransomware growth by the numbers: Ransomware statistics 2017,” June 2017.
  2. Rhodes, M., “HP Industry Metrics,” Hydrocarbon Processing, July 2017.
  3. Ponemon Institute, “2016 cost of cyber crime study and the risk of business innovation,” October 2016.
  4. Crowe, J., “Ransomware by the numbers: Must-know ransomware statistics 2016,” Barkly, August 2016.
  5. Ayral, T. and J. O’Donnell, “Minimize cyber security risk in plants in 12 steps,” Hydrocarbon Processing, July 2016.
  6. Wikipedia, “Stuxnet,” https://en.wikipedia.org/wiki/Stuxnet.
  7. Canadian Royal Mounted Police Technical Security Branch, “Harmonized threat and risk assessment (TRA) methodology,” October 2007.
  8. United States Department of Homeland Security, National Cyber Security and Communications Integration Center, “Seven steps to effectively defend industrial control systems.”
  9. United States Department of Homeland Security, National Cyber Security and Communications Integration Center, “Recommended practice: Improving industrial control system cybersecurity with defense-in-depth strategies,” September 2016.

The Authors

Related Articles

From the Archive

Comments